Security Security in in 802.11 Data 802.11 Data Link Link Protocols Protocols Gianluca Dini Gianluca Dini Dept. of Ingegneria dell’Informazione University of Pisa, Italy Via Diotisalvi 2, 56100 Pisa [email protected]Gianluca Dini Security in 802.11 data link protocols 2 If you believe that any security problem can be solved by means of cryptography then you have not understood the problem (Roger Needham)
35
Embed
Security in 802.11 Data Link Protocols - unipi.ita008333/Teaching/imt/materiale/slides/802.11... · 802.11 Data Link Protocols Gianluca Dini Dept. of Ingegneria dell’Informazione
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
SecuritySecurity in in 802.11 Data 802.11 Data LinkLink ProtocolsProtocols
Gianluca DiniGianluca Dini
Dept. of Ingegneria dell’InformazioneUniversity of Pisa, Italy
Authentication and Access Control• Open Systems Authentication
• Closed Network Access Control
• Shared Key Authentication
Gianluca Dini Security in 802.11 data link protocols 10
WIRED EQUIVALENT PRIVACY (WEP)
WEP is a standard link-level protocol
WEP is intended to enforce
• confidentiality (main objective)
• authentication (secondary objective)
• integrity (secondary objective)
WEP uses RC4 (stream cipher)
Gianluca Dini Security in 802.11 data link protocols 11
STREAM CIPHER
K KSG ⊕
ip
i i ic m z= ⊕iz
K KSG ⊕
ic
i i ip c z= ⊕iz
encryption
decryption
• mi: i-th byte of the plaintext KSG: Key Sequence Generator
• ci: i-th byte of the ciphertext
• zi: i-th byte of the key sequence
( )
( )
C P KSG KP C KSG K= ⊕
= ⊕
Gianluca Dini Security in 802.11 data link protocols 12
WEPThe protocol
• K: secret WEP key
message CRC
keystream
ciphertext
⊕
⇓
c()
RC4RC4v
v
K
transmitted data
• v: public initialization vector
Gianluca Dini Security in 802.11 data link protocols 13
WEPThe protocol
• In order to send a message M to B, the station performs the following actions:
• compute the integrity checksum c = c(M) of message M and concatenate the two to obtain the plaintext P = ⟨M, c⟩;
• choose a public initialization vector v and computesC = P ⊕ RC4(K, v);
• build the frame F = ⟨v, C⟩ and send it to the access point;
• Upon receiving the frame F, the access point performs the following actions
• compute P′= C ⊕ RC4(K, F.v);• split P′ into ⟨M′, c′⟩;• check whether c′ = c(M′) (if not, F is rejected)
Gianluca Dini Security in 802.11 data link protocols 14
WEPA few technical details
The size of the initialization vector is fixed at 24-bit in the standard
Two classes of WEP implementation
• standard implementation (64-bit)
• extended, "128-bit", implementation
802.11 does not specify any key distribution
• WEP relies on external mechanisms
Gianluca Dini Security in 802.11 data link protocols 15
KEY MANAGEMENT
802.11 does not specify any key management
Key management is left as an exercise for vendors
The standard allows for a unique key for each mobile
station however
In practice, most installations use a single key for an
entire network
Gianluca Dini Security in 802.11 data link protocols 16
KEY MANAGEMENTDefault Keys
0 11 22 33 4
Default Key Id
Key
Key
Key
Key
Four keys in each station
One key is (manually) designed as a transmit key
The four keys can be used to decrypt messages
IV Field (4) ICV (4)Data (>= 1)
IV Field (4)
IV (3) KeyId (1)
Encrypted
Stations and AP can share the same key
Stations can use individual keys
Gianluca Dini Security in 802.11 data link protocols 17
KEY MANAGEMENTMapped Keys
1 11 22 3
MAC Key
MAC Key
MAC Key
MACn Keyn
Tables in two stations that need to communicate must
contain each other's MAC address
map these MAC addresses to the same key
value
Each station maintains a WEP Key Mappings Table
• AP can support both mapped keys and default keys simultaneously
• Mapped keys MUST be used if at least one mapping is present
• Default keys MUST be used when no mapping is present
Gianluca Dini Security in 802.11 data link protocols 18
KEY MANAGEMENTA single key for the entire network
This practice seriously impacts the security of the system
A secret shared among many users cannot remain secret for long
Reuse of a single key makes key-stream reuse attacks simpler
The fact that many users share the same key means that it is difficult to replace compromised key material
Gianluca Dini Security in 802.11 data link protocols 19
WEPAn embarassing history
January 2001: Borisov, Goldberg and Wagner [Borisov01, Walker00]
• Encrypted messages can be modified without fear of detection
• Authentication protocol can be trivially defeated
Later, Arbaugh implemented BGW attack [Arbaugh01]
• It is possible to decrypt any chosen packet in a few hours
August 2001: Fluhrer, Mantin and Shamir attack [Fluhrer01]
• An eavesdropper who can obtain several million encrypted packetswhose first byte of plaintext is known can deduce the base RC4 key by exploiting properties of the RC4 key schedule
• An attacker can decrypt intercepted traffic, defeating confidentiality
• An attacker can forge new encrypted packets, defeating integrity anddauthentication
• A devastating attack!
Gianluca Dini Security in 802.11 data link protocols 20
WEPAn embarassing history
A week later Stubblefield, Ioannidis and Rubin implemented the FMS attack [Stubblefield02]
• The first byte encrypted under WEP is fixed and known
• Ciphertext-only attack
• Few hours
• Attack is purely passive and can be done from a distance of a mile or more undetectable
Since then, others implemented FMS
• Off-the-shelf hardware and software
• Publicly available
Gianluca Dini Security in 802.11 data link protocols 21
WEPSecurity problems
24-bit IV’s are too short and this puts confidentiality at risk
CRC is insecure and does not prevent adversarial modification of intercepted packets
WEP combines IV with the key in a way that enables cryptanalytic attacks
Integrity protection for source and destination addresses is not provided
Gianluca Dini Security in 802.11 data link protocols 22
KEYSTREAM REUSE ATTACKOverall
Encrypting two messages under the same keystream can reveal information about both messages
Let C1 = P1⊕RC4(K, v) and C2 = P2⊕RC4(K, v) then
C1⊕C2= P1⊕P2
if P1 is known, then P2 = P1⊕C1⊕C2 and RC4(K, v)=C1⊕P1
General keystream reuse attacks [Dawson96]
Real-world plaintext have enough redundancy that it is possible to recover both P1 and P2 given only P1 ⊕ P2
The attack is even more effective if the attacker has n ciphertextsderiving from the same keystream
Gianluca Dini Security in 802.11 data link protocols 23
• The adversary intercepts ⟨v, C⟩ and flips bit Pi and Pi+16 by means of the Message modification attack
• The adversary injects the modified packet ⟨v, C′⟩ in the network and watch to see whether B sends back a TCP ACK.
• The adversary repeats the attack for many choices of i
Gianluca Dini Security in 802.11 data link protocols 50
MESSAGE DECRYPTION ATTACKReaction attack–a few comments
The attack exploits the willingness of the recipient to decrypt arbitrary messages
The recipient's reaction can be viewed as a side channel
We have used the recipient as an oracle to unknowingly decrypt the intercepted ciphertext for us
The use of a secure MAC (instead of CRC) would have prevented reaction attacks
Gianluca Dini Security in 802.11 data link protocols 51
COUNTERMEASURESVPN and key management
Use a VPN to access the internal network
• obviate the need for link-layer security
• reuse a well-studied mechanism
Improve the key management
• every host has its own encryption key
• key are changed with high frequency(attacks to message authentication remain applicable)
Gianluca Dini Security in 802.11 data link protocols 52
COUNTERMEASURESVPN approach
VPN
Place the wireless network outside of the organization firewall
the wireless network is a threat
legitimate clients employ a VPN solution to access the internal network
illegitimate clients can neither access the internal network nor the Internet
VPN obviates the need for link-level security and reuses a well-studied mechanism
Gianluca Dini Security in 802.11 data link protocols 53
LESSONS
Design secure protocols is difficult and requires expertise beyond that acquired in engineering network protocols
– Well-established principles in network engineering but dangerous from a security standpoint
– privilege performance
– be liberal in what a protocol accepts
– be stateless
Rely on expertise of others– Reuse past designs
– Offer new designs for public reviews
Gianluca Dini Security in 802.11 data link protocols 54
COUNTERMEASURESshort-/long-term
WiFi Protected Access (WPA) is the TGi's short-term solution
• WPA requires only changes to firmware and drivers
• Temporal Key Integrity Protocol (TKIP)
CCMP: IEEE 802.11i long-term solution
• Significant modification to existing IEEE 802.11 standard
• Highly robust solution, addresse all known WEP deficiences, butrequires new hardware and protocol changes
IEEE 802.1x, a new standard for port-based authentication and
key distribution
Gianluca Dini Security in 802.11 data link protocols 55
IEEE 802.11I SHORT-TERM SOLUTIONTKIP–constraints and new elements
constraints• allow deployed system to be software or firmware
upgradeable• allow the current WEP implementation to remain
unchanged• minimize performance degradation imposed by fixes
three new elements• a message integrity code (MIC) to defeat forgeries• a packet sequencing discipline to defeat replay attacks• a per-packet key mixing function to defeat FMS attack
Gianluca Dini Security in 802.11 data link protocols 56
Gianluca Dini Security in 802.11 data link protocols 68
References
[Arbaugh01] W.A. Arbaugh, N. Shankar, and W.J. Wan, Your 802.11 wireless network has no clothes. http://www.cs.umd.edu/~waa/wireless.pdf, March 2001.
[Arbaugh01] W. Arbaugh, An Inductive Chosen Plaintext Attack Against WEP/WEP2. IEEE Document 802.11-02/230. May 2001. grouper.ieee.org/groups/802/11.
[Arbaugh03] W.A. Arbaugh, Wireless Security is Different, IEEE Computer, pp. 99–101, August 2003.
[Bellovin96] S. M. Bellovin, Problem areas for the IP security protocols, 6th USENIX Security Symposium, San Jose, California, July 1996.
[Borisov01] N. Borisov, I. Goldberg, and D. Wagner. Intercepting mobile communications: The insecurity of 802.11. Proceedings of the International Conference on Mobile Computing and Networking, pp. 180–189, July 2001.
[Dawson96] E. Dawson and L. Nielsen. Automated cryptanalysis of XOR plaintext strings. Cryptologia, (2):165–181, April 1996.
[Fluhrer01] S. Fluhrer, I. Mantin, and A. Shamir. A weakness in the key schedule algorithm of RC4. Proceedings of the 4th Annual Workshop on Selected Areas of Cryptography, 2001.
[Potter03] B. Potter, Wireless Security’s Future, IEEE Security & Privacy, pp. 68–72, July/August, 2003.
[Stubblefield02] A. Stubblefield, J. Ioannidis, and A. Rubin. Using Fluhre, Mantin, and Shamir attack to breal WEP. Proceedings of the 2002 Network and Distributed System Security Symposium, pp. 17–22, 2002.
[Walker00] J. Walker. Unsafe at any key size: An analyisis of the WEP encapsulation. IEEE Document 802.11-00/362. October 2000. grouper.ieee.org/groups/802/11.